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Description 

Technical Field 

[0001] This invention relates to personal computer 
systems and, more particularly, to such a system having 
security features enabling control over access to data 
retained in such a system. 

Background to the Invention 

[0002] Personal computer systems In general and 
IBM personal computers in particular have attained 
widespread use for providing computer power to many 
segments of today's modem society. Personal computer 
systems can usually be defined as a desk top, floor 
standing, or portable microcomputer that consists of a 
system unit having a single system processor and as- 
sociated volatile and non-volatile memory, a display 
monitor, a keyboard, one or more diskette drives, a fixed 
disk storage, and an optional printer. One of the distin- 
guishing characteristics of these systems is the use of 
a motherboard or system planar to electrically connect 
these components together. These systems are de- 
signed primarily to give independent computing power 
to a single user and are inexpensively priced for pur- 
chase by individuals or small businesses. Examples of 
such personal computer systems are IBM's PERSONAL 
COMPUTER AT and IBM's PERSONAL SYSTEM/2 
Models 25, 30, 35, 40, L40SX, 50, 55, 57, 65, 70, 80, 
90 and 95. 

[0003] These systems can be classified into two gen- 
eral families. The first family, usually referred to as Fam- 
ily I Models, use a bus architecture exemplified by the 
IBM PERSONAL COMPUTER AT and other "IBM com- 
patible" machines. The second family, referred to as 
Family II Models, use IBM's MICRO CHANNEL bus ar- 
chitecture exemplified by IBM's PERSONAL SYSTEM/ 
2 Models 50 through 95. Early Family I models typically 
used the popular INTEL 8088 or 8086 microprocessor 
as the system processor. Certain later Family I and the 
Family II models typically use the high speed INTEL 
80286, 80386, and 80486 microprocessors which can 
operate in a real mode to emulate the slower speed IN- 
TEL 8086 microprocessor or a protected mode which 
extends the addressing range from 1 megabyte to 4 Gi- 
gabytes for some models. In essence, the real mode 
feature of the 80286, 80386, and 80486 processors pro- 
vides hardware compatibility with software written for 
the 8086 and 8088 microprocessors. 
[0004] With the phenomenal growth and use of per- 
sonal computers in the world in recent years, more and 
more data or information is being collected and retained 
or stored in such systems. A lot of this data is sensitive 
in nature. In the wrong hands, data could become em- 
barrassing to individuals, a company could lose a com- 
petitive edge, or sensitive data could be used to force 
payment for silence or lead to physical violence against 



individuals. As more users recognize the sensitive na- 
ture of data and its value, the more it becomes desirable 
to protect against such misuse. To protect themselves 
and the persons associated with the stored data, users 

s are requiring incorporation of security and integrity fea- 
tures into the personal computers that they purchase. 
Users are not the only people to recognize the sensitivity 
of the data being collected and stored. Governments are 
also enacting laws to enforce protection of sensitive da- 

10 ta. One such government is that of the United States. It 
has recognized and responded to the gravity of the sit- 
uation. The United States federal government has de- 
fined security levels and the associated requirements it 
takes to meet those levels, and provides a certification 

is agency for personal computer manufacturers to submit 
their personal computers in order to see if the systems 
meet the security level claimed by the manufacturer. 
The source for the Federal Requirements is the Depart- 
ment of Defense, Trusted Computer System Evaluation 

20 Criteria, DOD 5200.28 STD, 12/85, generally referred 
to as The Orange Book. The government has legislated 
that by January 1, 1992 all data related to the govern- 
ment must only be processed and stored on personal 
computers with a minimum security level of C-2. As re- 

25 gards computer system hardware, the essence of the 
requirements is contained in the Assurance section, Re- 
quirement 6: "trusted mechanisms must be continuously 
protected against tampering and/or unauthorized 
changes... " 

30 [0005] Beginning with the earliest personal computer 
system of the Family I models, such as the IBM Personal 
Computer, it was recognized that software compatibility 
would be of utmost importance. In order to achieve this 
goal, an insulation layer of system resident code, also 

35 known as "firmware", was established between the 
hardware and software. This firmware provided an op- 
erational interface between a user's application pro- 
gram/operating system and the device to relieve the us- 
er of the concern about the characteristics of hardware 

40 devices. Eventually, the code developed into a Basic I n- 
put/Output System (BIOS), for allowing new devices to 
be added to the system, while insulating the application 
program from the peculiarities of the hardware. The im- 
portance of BIOS was immediately evident because it 

45 freed a device driver from depending on specific device 
hardware characteristics while providing the device driv- 
er with an intermediate interface to the device. Since BI- 
OS was an integral part of the system and controlled the 
movement of data in and out of the system processor, 

50 it was resident on the system planar and was shipped 
to the user in a read only memory (ROM). For example, 
BIOS in the original IBM Personal Computer occupied 
8K of ROM resident on the planar board. 
[0006] As new models of the personal computer fam- 

55 ny were introduced, BIOS had to be updated and ex- 
panded to include new hardware and I/O devices. As 
could be expected, BIOS started to increase in memory 
size. For example, with the introduction of the IBM PER- 
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SONAL COMPUTER AT, BIOS grew to require 32K 
bytes of ROM. 

[0007] Today, with the development of new technolo- 
gy, personal computer systems of the Family II models 
are growing even more sophisticated and are being s 
made available to consumers more frequently. Since the 
technology is rapidly changing and new I/O devices are 
being added to the personal computer systems, modifi- 
cation to the BIOS has become a significant problem in 
the development cycle of the personal computer sys- 
tem. 

[0008] For instance, with the introduction of the IBM 
Personal System/2 with Micro Channel architecture, a 
significantly new BIOS, known as advanced BIOS, or 
ABIOS, was developed. However, to maintain software 
compatibility, BIOS from the Family I models had to be 
included in the Family II models. The Family I BIOS be- 
came known as Compatibility BIOS or CBIOS. However, 
as previously explained with respect to the IBM PER- 
SONAL COMPUTER AT, only 32K bytes of ROM were 
resident on the planar board. Fortunately, the system 
could be expanded to 96K bytes of ROM. Unfortunately, 
because of system constraints, this turned out to be the 
maximum capacity available for BIOS. Luckily, even 
with the addition of ABIOS, ABIOS and CBIOS could 
still squeeze into 96K of ROM. However, only a small 
percentage of the 96K ROM area remained available for 
expansion. It has been believed that, with the addition 
of future I/O devices, CBIOS and ABIOS will eventually 
run out of ROM space. Thus, new I/O technology will 
not be able to be easily integrated within CBIOS and 
ABIOS. 

[0009] Due to these problems, plus the desire to make 
modifications in Family II BIOS as late as possible in the 
development cycle, it became necessary to offload por- 
tions of BIOS from the ROM. This was accomplished by 
storing portions of BIOS on a mass storage device such 
as a fixed disk, preferably in a defined portion of such a 
disk known as a system partition. Since a disk provides 
writing as well as reading capabilities, it became feasible 
to modify the actual BIOS code on the disk. The disk, 
while providing a fast and efficient way to store BIOS 
code, nevertheless greatly increased the probability of 
the BIOS code being corrupted. Since BIOS is an inte- 
gral part of the operating system, a corrupt BIOS could 
lead to devastating results and in many cases to com- 
plete failure and non-operation of the system. Thus, it 
became quite apparent that a means for preventing un- 
authorized modification of the BIOS code on the fixed 
disk was highly desirable. This was the subject matter 
of U.S. Patent Application Ser. No. 07/398,820, filed 
08/25/89, and now United States Patent 5,022,077 is- 
sued 4 June 1991. The interested reader is referred to 
that patent for additional information possibly helpful in 
understanding of the invention here disclosed, and the 
disclosure of that patent is hereby incorporated by ref- 
erence into this specification to any extent necessary to 
a full understanding of the inventions here disclosed. 



[0010] With the introduction of IBM's PS/2 Micro 
Channel Systems came the removal of switches and 
jumpers from I/O adapter cards and planar. The Micro 
Channel Architecture provided for programmable regis- 
ters to replace them. Utilities to configure these pro- 
grammable registers or programmable option select 
(POS) registers were required. These, and other utilities 
to improve system usability characteristics along with 
system diagnostics, were shipped with each system on 
a system reference diskette. 

[0011] Prior to initial use, each MicroChannel System 
requires that its POS registers be initialized. For exam- 
ple, if the system is booted with a new I/O card, or a slot 
change for an I/O card, a configuration error is generat- 
ed and the system boot up procedure halts. The user is 
then prompted to load the system reference diskette and 
press the F1 key. A "Set Configuration Utility" can then 
be booted from the system reference diskette to config- 
ure the system. The Set Configuration Utility will prompt 
the user for the desired action. If the appropriate I/O 
card's descriptor files are loaded on the system refer- 
ence diskette, the Set Configuration Utility will generate 
the correct POS or configuration data in non -volatile 
storage. The descriptor file contains configuration infor- 
mation to interface the card to the system. 
[0012] EP-432333-A describes a computer system 
having a power-on password stored in non -volatile 
memory wherein entry of the power-on password by a 
system manager permits access to all of the computer 
functions; the system also has the facility of at least one 
additional password held in non-volatile memory, 
wherein entry of the additional password by a user per- 
mits the system to boot in a manner preselected by the 
system manager. 

Brief Description of the Invention 

[0013] With the foregoing in mind, the present inven- 
tion provides a system and method as described in the 
appended claims. Thus a personal computer can in- 
clude means for limiting access to certain critical data 
to only those users who have a proper privilege to ac- 
cess such data by providing a specialized memory ele- 
ment for receiving and storing a Privileged Access Pass- 
word (sometimes hereinafter called a "PAP") and for co- 
ordinating the access granted to various functions and 
data to the activation and usage of the PAP. 
[0014] A user may have choices to activate or inacti- 
vate the security provisions made available, so that the 
system can be adapted to varying needs or desires for 
securing the usage of the system. Such a system may 
be adapted to the security requirements of governmen- 
tal standards if desired and yet also used in an essen- 
tially unsecured manner should the circumstances of 
use so permit. Thus users of such systems are given 
great flexibility in application of the systems. 
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Brief Description of the Drawings 

[0015] Some of the objects of the invention having 
been stated, other objects will appear as the description 
proceeds, when taken in connection with the accompa- 
nying drawings, in which: 

Figure 1 is a perspective view of a personal com- 
puter embodying this invention; 
Figure 2 is an exploded perspective view of certain 
elements of the personal computer of Figure 1 in- 
cluding a chassis, a cover, and a planar board and 
illustrating certain relationships among those ele- 
ments; 

Figure 3 is a schematic view of certain components 
of the personal computer of Figures 1 and 2; 
Figures 4 and 5 are schematic representations of 
certain components of the personal computer of 
Figures 1 and 2 which are related to the security 
features of the present invention; 
Figure 6 is an enlarged scale perspective view of 
certain components illustrated in Figures 4 and 5; 
Figure 7 is a view similar to Figure 6 of certain op- 
tional components of the personal computer of Fig- 
ures 1, 2, 4 and 5 which are related to the security 
features of the present invention; and 
Figures 8, 9a and 9b are schematic flow charts of 
certain functions involved in the security options 
available in accordance with the present invention. 

Detailed Description of Invention 

[0016] While the present invention will be described 
more fully hereinafter with reference to the accompany- 
ing drawings, in which a preferred embodiment of the 
present invention is shown, it is to be understood at the 
outset of the description which follows that persons of 
skill in the appropriate arts may modify the invention 
here described while still achieving the favorable results 
of this invention. Accordingly, the description which fol- 
lows is to be understood as being a broad, teaching dis- 
closure directed to persons of skill in the appropriate 
arts, and not as limiting upon the present invention. 

Certain defined terms may be used herein, as follows: 

[0017] TRUSTED COMPUTING BASE (TCB): The to- 
tality of protection mechanisms within a computer sys- 
tem - including hardware, firmware and software -the 
combination of which is responsible for enforcing a se- 
curity policy. A TCB consists of one or more components 
that together enforce a unified security policy over a 
product or system. The ability of a TCB to correctly en- 
force a security policy depends solely on the mecha- 
nisms within the TCB and on the correct input by system 
administrative personnel of parameters (e.g. a user's 
clearance) related to the security policy. 
[0018] TRUSTED SOFTWARE: The software portion 



of a Trusted Computing Base. 

[0019] REFERENCE MONITOR CONCEPT: An ac- 
cess control concept that refers to an abstract machine 
that mediates all accesses to objects by subjects. 

5 [0020] SECURITY KERNEL: The hardware, firmware 
and software elements of a Trusted Computing Base 
that implement the reference monitor concept. It must 
mediate all accesses, be protected from modification 
and be verifiable as correct. 

10 [0021] TRUSTED COMPUTER SYSTEM: A system 
that employs sufficient hardware and software integrity 
measures to allow its use for processing simultaneously 
a range of sensitive or classified information. 
[0022] SYSTEM OWNER: The system owner is the 

15 user who is responsible for configuring and placing a 
system in secure mode initially. The system owner will 
control configuration both initially and whenever an up- 
date needs to be made. This person will control the Priv- 
ileged Access Password and be responsible for main- 

20 taining its integrity. The system owner will also maintain 
physical security of the tamper evident cover keylock 
key. The system owner will be responsible for maintain- 
ing security logs on all systems. The system owner will 
also have to record all attempted security breaches. The 

25 system owner may own more than one system. The sys- 
tem owner is considered an authorized user and can al- 
so be a normal user. 

[0023] SECURE MODE: When a system owner has 
successfully installed the Privileged Access Password 

30 on a personal computer system to invoke security pro- 
tection provided by the security and integrity elements. 
' [0024] AUTHORIZED USER: Any user who is given 
permission to use the Privileged Access Password. This 
person may or may not be the system owner. This per- 

35 son may also have a key for a particular system or a set 
of systems. If this person is involved in recovering a sys- 
tem from a security breach, they are responsible for re- 
porting it to the system owner. An authorized user may 
also be a normal user. 

40 [0025] NORMAL USER: Any user of the systems au- 
thorized to use the systems facilities. In order to change 
a systems configuration or fix a problem, this user re- 
quires the assistance of either the system owner or an 
authorized user. The normal user does not have the 

45 Privileged Access Password or the cover key unless 
they belong to either the authorized user or system own- 
er category. 

[0026] UNAUTHORIZED USER: Any one not defined 
as a system owner, authorized user or normal user. Any 
50 use of a secured personal computer system by an un- 
authorized user is considered a security breach, other 
than an unsuccessful power on, and an audit trail must 
exist showing such breaches. 

[0027] EE PROM: Electrically Erasable Prog ram ma- 
55 ble Read Only Memory. This memory technology pro- 
vides for non -volatile storage of data that can be 
changed under control of hardware logic. Contents of 
storage is not lost when power is absent. Contents may 
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be altered only when the appropriate controls signals on 
the module are activated in the predefined sequence. 
[0028] PASSWORD DESCRIPTION: The system has 
the potential to be protected by two passwords: 1 . Priv- 
ileged Access Password (PAP) and 2. Power On Pass- s 
word (POP). These passwords are intended to be used 
independently of one another. The PAP is designed to 
provide protection for the system owner by protecting 
the Initial Program Load (I PL) device boot list, access 
to the password utility, and access to the System Ret- 10 
erence Diskette or System Partition. The System Parti- 
tion will only be booted in response to a POST error if 
there is no PAP installed or the PAP was entered initially 
during the power on sequence. Initial BIOS Load (IBL) 
from a diskette will be secured in the same manner as is 
booting the System Reference Diskette. The existence 
of the PAP will be transparent to a normal user using the 
POP. The PAP will be installed, changed.or deleted by 
a utility on the System Reference Diskette or in the Sys- 
tem Partition. The PAP, when set and entered correctly, 20 
will give the owner access to the entire system, overrid- 
ing the POP. The POP, working as on all current PS/2 
systems, is used to prevent any unauthorized access to 
the Operating System on the DASD or the facilities of 
the system. 25 
[0029] Referring now more particularly to the accom- 
panying drawings, a microcomputer embodying the 
present invention is there shown and generally indicated 
at 10 (Figure 1). As mentioned hereinabove, the com- 
puter 1 0 may have an associated monitor 1 1 , keyboard 30 
1 2 and printer or plotter 1 4. Th e computer 1 0 has a cover 
15 which cooperates with a chassis 19 in defining an 
enclosed, shielded volume for receiving electrically 
powered data processing and storage components for 
processing and storing digital data, as shown in Figure 35 
2. In the form illustrated in Figure 2, the computer 10 
also has an optional I/O cable connection cover 16 
which extends over and protects the connection points 
of I/O cables with the computer system. At least certain 
of the system components are mounted on a multilayer 40 
planar 20 or motherboard which is mounted on the chas- 
sis 1 9 and provides a means for electrically intercon- 
necting the components of the computer 10 including 
those identified above and such other associated ele- 
ments as floppy disk drives, various forms of direct ac- 
cess storage devices, accessory cards or boards, and 
the like. 

[0030] The chassis 19 has a base and a rear panel 
(Figure 2, and which may be covered externally by the 
cable connection cover 16) and defines at least one so 
open bay for receiving a data storage device such as a 
disk drive for magnetic or optical disks, a tape backup 
drive, or the like. In the illustrated form, an upper bay 22 
is adapted to receive peripheral drives of a first size 
(such as those known as 3.5 inch drives). A floppy disk ss 
drive, a removable media direct access storage device 
capable of receiving a diskette inserted thereinto and 
using the diskette to receive, store and deliver data as 



is generally known, may be provided in the upper bay 
22. 

[0031] Prior to relating the above structure to the 
present invention, a summary of the operation in general 
of the personal computer system 10 may merit review. 
Referring to Figure 3, there is shown a block diagram of 
a personal computer system illustrating the various 
components of the computer system such as the system 
10 in accordance with the present invention, including 
components mounted on the planar 20 and the connec- 
tion of the planar to the I/O slots and other hardware of 
the personal computer system. Connected to the planar 
is the system processor 32. While any appropriate mi- 
croprocessor can be used as the CPU 32, one suitable 
microprocessor is the 80386 which is sold by INTEL. 
The CPU 32 is connected by a high speed CPU local 
bus 34 to a bus interface control unit 35, to volatile ran- 
dom access memory (RAM) 36 here shown as Single 
Inline Memory Modules (SIMMs) and to BIOS ROM 38 
in which is stored instructions for basic input/output op- 
erations to the CPU 32. The BIOS ROM 38 includes the 
BIOS that is used to interface between the I/O devices 
and the operating system of the microprocessor 32. In- 
structions stored in ROM 38 can be copied into RAM 36 
to decrease the execution time of BIOS. The system al- * 
so has, as has become conventional, a circuit compo- 
nent which has CMOS ROM for receiving and retaining 
data regarding the system configuration and a real time ' 
clock (RTC). 

[0032] While the present invention is described here- 
inafter with particular reference to the system block di- 
agram of Figure 3, it is to be understood at the outset of 
the description which follows that it is contemplated that 
the apparatus and methods in accordance with the 
present invention may be used with other hardware con- 
figurations of the planar board. For example, the system 
processor could be an Intel 80286 or 80486 microproc- 
essor. 

[0033] Returning now to Figure 3, the CPU local bus 
34 (comprising data, address and control components) 
also provides for the connection of the microprocessor 
32 with a math coprocessor 39 and a Small Computer 
Systems Interface (SCSI) controller 40. The SCSI con- 
troller 40 may, as is known to persons skilled in the arts 
of computer design and operation, be connected or con- 
nectable with Read Only Memory (ROM) 41 , RAM 42, 
and suitable external devices of a variety of types as 
facilitated by the I/O connection indicated to the right in 
the Figure. The SCSI controller 40 functions as a stor- 
age controller in controlling storage memory devices 
such as fixed or removable media electromagnetic stor- 
age devices (also known as hard and floppy disk drives), 
electro-optical, tape and other storage devices. 
[0034] The bus interface controller (BIC) 35 couples 
the CPU local bus 34 with an I/O bus 44. By means of 
the bus 44, the Bl C 35 is coupled with an optional feature 
bus such as a MICRO CHANNEL bus having a plurality 
of I/O slots for receiving MICRO CHANNEL adapter 
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cards 45 which may be further connected to an I/O de- 
vice or memory (not shown). The I/O bus 44 includes 
address, data, and control components. 
[0035] Coupled along the I/O bus 44 are a variety of 
I/O components such as a video signal processor 46 
which is associated with video RAM (VRAM) for storing 
graphic information (indicated at 48) and for storing im- 
age information (indicated at 49). Video signals ex- 
changed with the processor 46 may be passed through 
a Digital to Analog Converter (DAC) 50 to a monitor or 
other display device. Provision is also made for connect- 
ing the VSP 46 directly with what is here referred to as 
a natural image input/output, which may take the form 
of a video recorder/player, camera, etc. The I/O bus 44 
is also coupled with a Digital Signal Processor (DSP) 51 
which has associated instruction RAM 52 and data RAM 
54 available to store software instructions for the 
processing of signals by the DSP 51 and data involved 
in such processing. The DSP 51 provides for processing 
of audio inputs and outputs by the provision of an audio 
controller 55, and for handling of other signals by provi- 
sion of an analog interface controller 56. Lastly, the I/O 
bus 44 is coupled with a input/output controller 58 with 
an associated Electrical Erasable Programmable Read 
Only Memory (EEPROM) 59 by which inputs and out- 
puts are exchanged with conventional peripherals in- 
cluding floppy disk drives, a printer or plotter 14, key- 
board 12, a mouse or pointing device (not shown), and 
by means of a serial port. The EEPROM plays a part in 
the security provisions described hereinafter. 
[0036] In achieving certain objectives of the present 
invention as described more fully hereinafter, the per- 
sonal computer system 10 has an erasable memory el- 
ement mounted within the system enclosure for selec- 
tive activation to active and inactive states and for re- 
ceiving and storing a privileged access password (de- 
fined more fully hereinafter) when in the active state. 
The erasable memory element preferably is the electri- 
cally erasable programmable read only memory device 
or EEPROM 59 (Figure 3). The system also has an op- 
tion or security switch mounted within the enclosure and 
operatively connected with the erasable memory ele- 
ment 59 for setting that memory element to the active 
and inactive states and at least one tamper detection 
switch 60 (Figures 4, 5 and 6) mounted within the en- 
closure and operatively connected with the erasable 
memory element for detecting opening of the enclosure 
and for clearing any stored privileged access password 
from that memory element in response to any switching 
of the tamper switch. The option switch (also called se- 
curity switch in this disclosure) may be, for example, a 
jumper mounted on the system planar 20 and manually 
settable to two different states by a person having ac- 
cess to the planar. In one state, the EEPROM 59 is set 
to be active and to store a PAP as described herein. In 
the other, the PAP storage capability of the EEPROM is 
set to be inactive. 

[0037] The system processor 32, in accordance with 



this invention, is operatively connected with the EEP- 
ROM 59 and functions in part for controlling access to 
at least certain levels of data stored within the system 
by distinguishing between the active and inactive states 

s of the PAP storage capability of the memory element 
and between entry and non-entry of any stored privi- 
leged access password (PAP). By manipulating the op- 
tion switch, an operator (or more specifically the person 
charged with supervising and maintaining the security) 

10 of the system may select between secured operation of 
the system and unsecured operation of the system by 
selecting respective active and inactive states of the 
EEPROM. 

[0038] Referring now to the schematic views of Fig- 
15 ures 4 through 7, certain of the hardware features con- 
tributing to this invention will now be more particularly 
described. 

[0039] Figure 4 illustrates certain relationships among 
the conventional power control or "on/off" switch 61 , the 
20 conventional power supply 62, switches which change 
conductive state in response to opening or removal of 
enclosure covers such as the main cover 15 and the ca- 
ble connection cover 16, and a keylock switch 64. The 
switches which change state on opening or removal of 
25 enclosure covers are, in the illustrated form of this in- 
vention, two in number; namely a switch 65 (Figures 4, 
5 and 6) responsive to removal of the main cover 1 5 and 
a switch 66 (Figures 4, 5 and 7) responsive to removal 
of the cable connection cover 16. Each switch has two 
30 components, one normally open (65a and 66a, respec- 
tively) and one normally closed (65b and 66b, respec- 
tively). The second switch 66 is optional, as is the cable 
connection cover 16. However, as will be clear from a 
thoughtful consideration of the disclosure here made, 
35 the presence of the optional cover and switch assures 
more complete security control over the system. 
[0040] The normally open contact sets of the cover 
switches 65 and 66 are connected in series with the 
main power switch 61 and to the power supply 62 (Fig- 
40 ure 4). As a consequence, if an attempt is made to "pow- 
er up" the system 10 with the covers removed, the con- 
tact sets 65a and 66a will be open and prevent system 
operation. With the covers in place, the contact sets are 
held closed and normal system operation may be initi- 
os ated. 

[0041] The normally closed contact sets of the cover 
switches 65 and 66 are connected in series with the key- 
lock switch 64 and to the RTC and CMOS memory 68. 
The normally closed contact sets 65b and 66b are held 

so open by the presence of the covers 1 5, 1 6 and will close 
on the removal of those covers. The keylock switch 64 
is normally held closed on locking of the enclosure lock 
which is conventionally supplied on the computer sys- 
tem 10. These three contact sets provide an alternate 

55 path to ground for current otherwise energizing portions 
of the RTC and CMOS memory, and have the effect of 
clearing a segment of that memory if energization is lost, 
as upon unauthorized removal of a cover while the sys- 
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tem is in an enclosure locked state. As that memory is 
checked by POST, clearing of that segment will result in 
a configuration error signal being generated which will 
alert a system owner that an attempt (successful or oth- 
erwise) has been made to breach system security. s 
[0042] The keylock switch 64 and main enclosure 
cover switch 65 are preferably mounted on a front card 
guide member 69 (Figures 2 and 6) so as to be appro- 
priately positioned relative to the lock provided in the 
main enclosure cover 15. The front card guide member 10 
is mounted in the computer system frame is such a po- 
sition that an actuating lever 70 for the cover switch 65 
protrudes through an opening in the upright front frame 
member, to be actuated by the cover 15 when present 
and positioned to close the system enclosure. is 
[0043] The cable cover switch 66 is preferably mount- 
ed on the rear panel of the system frame, positioned to 
be actuated by a latch member mounted on the cable 
cover 16 and rotatable under the control of a manually 
operable keylock similar to that provided on the enclo- 20 
sure cover 15. When the optional cable cover 16 is used 
(as will be the case where full security of the system is 
desired or required), latching or locking of the cover to 
the rear panel causes the latch member to close the as- 
sociated normally open contact set 66a and open the 25 
normally closed contact set 66b. 

[0044] The new security and integrity features de- 
scribed above and hereinafter work independently of a 
previously offered personal computer security feature, 
the Power on Password (POP). These additional secu- 30 
rity and integrity features provide a secure platform for 
operating system certification under applicable regula- 
tions such as the Orange Book. An additional password 
is required to place the system in secure mode. The new 
password is here referred to as the Privileged Access 35 
Password (PAP). To maintain compatibility with previ- 
ous personal computer systems, the POP is still sup- 
ported. This disclosure deals with the new security and 
integrity features as they relate to POST and the pass- 
word utility executing on a personal computer system 40 
with an EE PROM, option switch, and tamper evident 
covers. 

[0045] Password Security is implemented by system 
hardware features; an EEPROM, a security switch and 
a tamper evident cover switch, firmware, POST and the 45 
system software password utility. Once the PAP has 
been installed, the system is in secure mode. The PAP 
is saved in the EEPROM. A backup copy of the PAP is 
also maintained in the EEPROM. This is done to prevent 
accidental loss of the PAP when a power failure occurs so 
during the installation, change, or removal of the PAP. 
[0046] Two bits in the EEPROM are used as a state 
machine that lets POST know exactly where the power 
outage occurred in the update sequence and if possible 
recover from a system board replacement situation. The ss 
password utility maintains the update indicator field, a 
two bit state machine used during any access to the 
PAP. If a power outage occurred during the password 



modification, when power is restored POST checks the 
state machine (POST actually checks the state machine 
on all power ups.) If the PAP is updated successfully (a 
'00' state), POST proceeds in the normal manner. If the 
update has started before power is lost (a '01' state), 
POST will check for the presence of a valid backup PAP. 
If valid, the user must enter the backup or old PAP to 
boot the system reference diskette or system partition. 
If not valid, POST will hang and the system owner will 
have to intervene to remedy the situation, which might 
require replacing the system board. If the primary PAP 
has been updated successfully (a '10' state), POST will 
use the primary PAP (the new PAP) to validate any at- 
tempts to use the system reference diskette or boot the 
system partition. POST will assume the backup PAP is 
invalid. POST will copy the primary PAP to the backup 
PAP in this case. 

[0047] If the option or security switch is not in the un- 
locked position an error will be displayed. The system 
owner will have to intervene by unlocking the covers and 
changing the position of the security switch. If the back- 
up PAP has been updated successfully (a '11' state), 
both the primary and backup PAP are considered valid 
and POST will verify the validity of the Primary PAP, prior 
to confirming the entry of the PAP by the user. « 
[0048] The POP is maintained in CMOS. Two bits will * 
be maintained in CMOS for use as a password indica- 
tors for the PAP. One indicator is used to signify that the 
system is in secure mode (PAP installed). The second 
indicator is to signify that the PAP was entered during 
the initial power on, cold boot. These two indicators will 
be initialized and set at the cold boot only Prior to I PL, 
the indicators will be write protected unless the system 
reference diskette or system partition is booted. 
[0049] To prevent any unauthorized access to the 
passwords, the I PL device boot list, the EEPROM CRC, 
and all the indicators will be locked prior to Initial Pro- 
gram Load (I PL) booting an operating system. To lock 
out these areas, POST will set special hardware latches 
that cannot be reset unless the system is powered off. 
At the beginning of POST Stage I, initial power on, 
POST will check to see if the EEPROM is locked. If it is 
locked, POST will display an error and halt the system 
because the hardware is not functional. The system 
owner will need to intervene to remedy the situation 
which might require that the system board be replaced. 
When the system has been tampered with, the first 14 
bytes of RAM storage in CMOS associated with the RTC 
and control registers are unaffected. The next 50 bytes 
of CMOS are set to all "one's" (binary value 1 ) as briefly 
described above. Upon detecting this condition, POST 
will halt and display an appropriate error. The system 
owner/authorized user will need to intervene to remedy 
the situation which might require that the system board 
be re-configured. 

[0050] If the system owner forgets the PAP, the sys- 
tem board(s) affected will need to be replaced. 
[0051] If the POP is forgotten, the system owner can 
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toggle the tamper evident cover switch to destroy the 
contents of CMOS as described above, and then enter 
the PAP (if installed) to boot the System Reference Dis- 
kette or the System Partition to run the password utility, 
to reinstall the POP. 

[0052] When a system has been powered on with nei- 
ther password installed, POST will not prompt for a 
password. However, if the System Reference Diskette 
is not present or the System Partition boot is not request- 
ed or present, POST will lock the POP, the PAP, the 
backup PAP, the I PL device boot list, the EEPROM 
CRC, and all the indicators. This is done to prevent any 
accidental or malicious access to these areas. If the 
System Reference Diskette is present or the System 
Partition boot is requested, these locations are left un- 
locked to allow the system owner to invoke secure 
mode. 

[0053] When a system has been powered on with a 
POP installed, but no PAP installed, POST will verify the 
POP password checksum. If the checksum is bad," 
POST will erase the POP in CMOS and not prompt for 
a password. Otherwise, POST will prompt for a pass- 
word. If the System Reference Diskette is not present 
or the System Partition boot is not requested, the POP, 
the PAP, the backup PAP, the I PL device boot list, the 
EEPROM CRC, and all the indicators will be locked to 
prevent any access. 

[0054] When a system has been powered on with a 
valid PAP installed (Secure mode) but no POP installed, 
POST will verify the PAP checksum. If the checksum is 
good, POST will prompt the user to enter the PAP if the 
System Reference Diskette is present or the System 
Partition boot is requested. Otherwise, POST will not 
prompt for a password and the POP, the PAP, the back- 
up PAP, the IPL device boot list, the EEPROM CRC, and 
all the indicators will be locked to prevent any access. 
If the PAP checksum is bad, an error is displayed and 
the system is halted. This is to prevent a condition where 
POST could accidentally give unprotected access to a 
user to a system which was previously in secure mode 
when the EEPROM failed. The system owner will need 
to intervene to remedy the situation which might require 
that the system board be replaced. 
[0055] When the system has been powered on with 
both a valid PAP and a valid POP installed, POST will 
prompt the user to enter a password. If the POP is en- 
tered, POST will not boot from the System Reference 
Diskette or the System Partition. The system can only 
boot using the existing IPL device list. If the PAP is en- 
tered at the prompt rather than the POP, the user can 
boot from the System Reference Diskette, the System 
Partition, the 1BL diskette, or the normal IPL device list. 
An indicator is set that signifies that the PAP was suc- 
cessfully entered at initial power up time, so that a sys- 
tem reference diskette or system partition boot may oc- 
cur later on in this power on session. The authorized 
user must be aware that once the PAP has been suc- 
cessfully entered, the system is available to boot the 



system reference diskette or system partition after a soft 
reboot (Ctrl-Alt-Del) as long as power is maintained. 
POST will not prompt the user for a password after a 
soft reboot, hence the need for the PAP successfully en- 

s tered indicator and its protection. Once finished with the 
system the authorized user must power off the system 
to prevent this situation from occurring. 
[0056] In brief, if a user can boot from the System Ref- 
erence Diskette or the System Partition on a cold start, 

10 the POP, the PAP, the backup PAP, the IPL device boot 
list, the EEPROM CRC, and all the indicators will remain 
unlocked. This condition gives trusted software (ie. the 
System Reference Diskette) and an authorized user ac- 
cess to the security parameters for the system. After 

is POST verifies that either password is entered correctly, 
it will acknowledge the entry by displaying a confirma- 
tion icon. POST will skip prompting for the POP as de- 
scribed above when Network Server (Unattended Start) 
Mode is active. 

20 [0057] Flowchart logic for the scenarios just described 
are depicted in Figures 8 and 9, where links between 
the steps specifically illustrated in Figures 9a and 9b are 
indicated by process blocks occupied by single letter 
designations in order to simplify the charting. 

25 [0058] A system that has the Network Server (Unat- 
tended Start) Mode installed will complete the booting 
process ail the way through the target operating system 
boot but the keyboard will be locked using the POP. 
However, if a system reference diskette is present or the 

30 System Partition boot is requested, the password 
prompt will be displayed to allow the owner to enter the 
PAP and gain control of the system, if a system is in the 
secure state and the user wants to boot from the system 
reference diskette or the system partition after the key- 

35 board is already locked out, the user must power the 
system down and initiate a cold boot, from a power off 
state with the system reference diskette in the diskette 
drive. 

[0059] In conjunction with the POST changes, the 

40 password utility must include support for the PAP. The 
utility will support installing, changing and removing a 
PAP, and will interlock these three functions with the po- 
sition of the option or security switch. The security switch 
should remain in the locked position until an authorized 

45 user wishes to set, change or remove the PAP. At that 
time, the user should remove the system covers and 
move the security switch to the unlocked (change) po- 
sition; then the PAP can be modified (either set, 
changed or removed). After PAP modification, the secu- 

50 rity switch should be returned to the locked position, and 
it should remain in that position until further modification 
is necessary. This will ensure maximum system security 
in the interim between PAP modifications. When the se- 
curity switch is placed in the unlocked position, hard- 

55 ware logic external to the EEPROM allows the storing 
of the PAP into the EEPROM. When the security switch 
is placed in the locked position, external hardware logic 
prevents any changes to the PAP locations in the EEP- 
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ROM. Appropriate messages will appear it the author- 
ized user attempts to modify the PAP when the security 
switch is in the locked position. Also, messages will re- 
mind the user to return the security switch to the locked 
position after a modification is complete. An additional 
safety feature is built into the password utility that pro- 
hibits the authorized user from setting the PAP equal to 
the POP. Checks will be made when setting or changing 
the PAP to ensure that the new PAP does not equal the 
current POP of the system. Also, when changing or re- 
moving the PAP, the current PAP must be known. 
[0060] It is contemplated that a personal computer 
system will initially be shipped with the security switch 
in the locked position and the tamper evident cover 
locked. This is done to prevent any person other than 
the system owner from setting the system into secure 
mode. Unlike the POP, the PAP cannot be erased 
through hardware manipulation. If the PAP is forgotten 
or an unauthorized user places the system into secure 
mode, the system board must be replaced. The logic 
represented in the above description can be found in 
Figure 8. 

[0061] In the drawings and specifications there has 
been set forth a preferred embodiment of the invention 
and, although specific terms are used, the description 
thus given uses terminology in a generic and descriptive 
sense only and not for purposes of limitation. 



Claims 

1 . A personal computer system (1 0) for receiving and 
retaining data and capable of securing data re- 
tained within the system against unauthorized ac- 
cess, the system comprising: 

a normally closed enclosure (15, 16); 
a system processor (1 ) mounted within said en- 
closure for controlling access to at least certain 
levels of data stored within the system; 

and characterised by 

an erasable memory element (59) mounted 
within said enclosure for selective activation to 
active and inactive states and for receiving and 
storing a privileged access password when in 
the active state, wherein said system processor 
is operatively connected with said erasable 
memory element; 

and an option switch mounted within said en- 
closure and operatively connected with said 
erasable memory element for setting said eras- 
able memory element to the active and inactive 
states, 

wherein said system processor controls access 
to at least certain levels of data stored within 
the system by distinguishing between the ac- 



tive and inactive states of said memory element 
and between entry and non-entry of any stored 
privileged access password. 

5 2. A personal computer system according to claim 1 
further comprising: 

a second erasable memory element mounted 
within said enclosure for receiving and storing 

10 data indicative of the state of the first said eras- 

able memory element and of correct entry of 
any stored privileged access password, and 
a tamper detection switch mounted within said 
enclosure and operatively connected with said 

is second erasable memory element for detecting 

unauthorized opening of said enclosure and for 
invalidating any privileged access password 
stored in the first said erasable memory ele- 
ment in response to any switching of said 

^0 tamper switch. 

3. A personal computer system in accordance with 
Claim 1 or 2 wherein said first erasable memory el- 
ement is an electrically erasable programmable 

25 read only memory device. 

4. A personal computer system in accordance with 
Claim 1 , 2 or 3 wherein said option switch functions 
for enabling an operator to select between secured 

30 operation of the system and unsecured operation 
of the system by selecting respecting active and in- 
active states of said first memory element. 

5. A personal computer system in accordance with 
35 Claim 4 wherein said option switch is manually op- 
erable and positioned within said enclosure for 
manual access only after opening of said enclosure. 

6. A personal computer system in accordance with 
40 Claim 2 wherein said second erasable memory el- 
ement is a battery backed CMOS RAM (68). 

7. A method of receiving and retaining data within a 
personal computer system (10) comprising a nor- 

45 mally closed enclosure (15, 16) and a system proc- 
essor (1), an erasable memory element (59), and 
an option switch mounted within said enclosure, the 
system processor and option switch being opera- 
tively connected to the erasable memory element 

50 which has an active and an inactive state, said 
method comprising the steps of: 

using the option switch to selectively set the 
erasable memory element into the active state 
55 to secure data retained within the system 

against unauthorized access; 
receiving and storing a privileged access pass- 
word in the erasable memory element in the ac- 
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tive state; and 

controlling access to at least certain levels of 
data stored within the system by distinguishing 
between the active and inactive states of the 
erasable memory element and between entry 
and non-entry of the privileged access pass- 
word. 

8. A method in accordance with Claim 7 wherein said 
step of selectively setting the memory element into 
active state comprises opening the system enclo- 
sure and manually changing the setting of the op- 
tion switch. 

9. A method in accordance with Claim 7 or 8 wherein 
said privilege access password represents a sec- 
ond password, and the method further comprises 
the steps of: 

providing for the reception by and storage in the 
system of first and second passwords and for 
the loading into the system of trusted and open 
programs; 

distinguishing among the storage of (a) no 
passwords, (b) a first password, and (c) a sec- 25 1. 
ond password; 

distinguishing between the loading and re- 
quested execution of (d) trusted and (e) open 
programs; 

distinguishing among the entry by a user of (f) 
no passwords, (g) the first password, and (h) 
the second password; and 
controlling access by a user to trusted pro- 
grams (d) in response to the entry by a user of 
the second password (h). 

10. A method according to Claim 9 wherein said step 
of distinguishing among storage of passwords com- 
prises distinguishing between the storage of a pow- 
er on password as the first password and of said 
privileged access password as the second pass- 
word. 



ond password (c). 

14. A method according to Claim 9 wherein said step 
of controlling access comprises recognizing the 
storage of a first password (b) and of a second pass- 
word (c), granting access to any program only to a 
user entering the first password (b), and granting 
access to a trusted program only to a user entering 
the second password (c). 



11. A method according to Claim 9 wherein said step 
of controlling access comprises recognizing the 
storage of no passwords (a) and granting access to 
any program by any user. 

12. A method according to Claim 9 wherein said step 
of controlling access comprises recognizing the 
storage of a first password (b) and granting access 
to any program only to a user entering the first pass- 
word (b). 

13. A method according to Claim 9 wherein said step 
of controlling access comprises recognizing the 
storage of a second password (c) and granting ac- 
cess to any program only to a user entering the sec- 



15. A method according to Claim 14 wherein said step 
of controlling access further comprises granting ac- 
cess to any program to a user entering the second 
password (c) absent any need to first enter the first 

is password (b). 

16. A method according to Claim 7 or 8, further com- 
prising the step of invalidating the privileged access 
password stored in the memory element in re- 

20 sponse to any switching of a tamper switch. 



Patentanspruche 



Ein Personalcomputersystem (10) zum Aufnehmen 
und Speichern von Daten, das in der Lage ist, die 
im System gespeicherten Daten gegen einen unbe- 
rechtigten Zugriff zu sichern, wobei das System urn- 
faBt: 

ein im Normalfall geschlossenes Gehause (1 5, 
16); 

einen Systemprozessor (1), der in dem Gehau- 
se montiert ist, urn den Zugriff auf wenigstens 
bestimmte Datenkomponenten zu steuern, die 
im System gespeichert sind; 

und gekennzeichnet durch 

ein loschbares Speicherelement (59), das in- 
nerhalb des Gehauses montiert ist, zur selekti- 
ven Aktivierung von aktiven und inaktiven Zu- 
standen und zum Empfangen und Speichern 
eines privilegierten Zugriffs-PaBworts im akti- 
ven Zustand, in dem der Systemprozessor mit 
dem loschbaren Speicherelement operativ ver- 
bunden ist; 

und einen Optionsschalter, der innerhalb des 
Gehauses montiert ist und mit dem loschbaren 
Speicherelement operativ verbunden ist, um 
das loschbare Speicherelement in den aktiven 
und inaktiven Zustand zu versetzen, 

wobei der Systemprozessor den Zugriff zu den 
mindestens bestimmten Datenkomponenten 
steuert, die im System gespeichert sind, durch 
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Unterscheiden zwischen dem aktiven und dem 
inaktiven Zustand des Speicherelements, so- 
wie zwischen dem Eintrag und dem Nichtein- 
trag eines beliebigen privilegierten Zugriffs- 
paBworts. 

2. Ein Personalcomputersystem gemaB Anspruch 1, 
das ferner umfaBt: 

ein zweites loschbares Speicherelement, das 
innerhalb des Gehauses montierl ist, zum Auf- 
nehmen und Speichern von Daten, die hinwei- 
send auf den Zustand des ersten loschbaren 
Speicherelements und auf den korrekten Ein- 
trag eines gespeicherten privilegierten Zugriffs- 
paBworts sind, und 

ein Schalter zur Erfassung eines unberechtig- 
ten Eingriffs, der innerhalb des Gehauses mon- 
tiert ist und operativ mit dem zweiten loschba- 
ren Speicherelement verbunden ist zum Erfas- 
sen eines unberechtigten Offnens des Gehau- 
ses und zum Ungultigmachen eines privilegier- 
ten Zugriffs-PaBworts im ersten loschbaren 
Speicherelement als Reaktion auf ein Schalten 
des Schalters zum Erfassen des unberechtig- 
ten Zugriffs. 

3. Ein Personalcomputersystem gemaB Anspruch 1 
oder 2, in dem das erste loschbare Speicherele- 
ment eine elektrisch loschbare programmierbare 
Festwertspeichervorrichtung ist. 

4. Ein Personalcomputersystem gemaB Anspruch 1 , 
2 oder 3 t in dem der Optionsschalter funktioniert, 
um einen Operator in die Lage zu versetzen, zwi- 
schen einer gesicherten Operation des Systems 
und einer ungesicherten Operation des Systems zu 
wahlen durch Anwahlen des aktiven bzw. des inak- 
tiven Zustands des ersten Speicherelements. 

5. Ein Personalcomputersystem gemaB Anspruch 4, 
in dem der Optionsschalter von Hand schaltbar ist 
und innerhalb des Gehauses zum Zugriff von Hand 
erst nach dem Offnen des Gehauses zuganglich 
wird. 

6. Ein Personalcomputersystem gemaB Anspruch 2, 
in dem das loschbare Speicherelement ein batte- 
riegestutzter CMOS RAM (68) ist. 
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ter operativ mit dem loschbaren Speicherelement, 
das einen aktiven und einen inaktiven Zustand auf- 
weist, verbunden sind, wobei dieses Verfahren die 
folgenden Schritte umfaBt: 

Betatigen des Optionsschafters, um selektiv 
das loschbare Speicherelement in den aktiven 
Zustand zu setzen, um im System gespetcherte 
Daten gegen einen unberechtigten Zugriff zu 
schutzen; 

Aufnehmen und Speichern eines privilegierten 
ZugriffspaBworts im loschbaren Speicherele- 
ment im aktiven Zustand; und 

Steuern des Zugriffs auf mindestens bestimmte 
im System gespeicherte Datenkomponenten, 
durch Unterscheiden zwischen dem aktiven 
und dem inaktiven Zustand des loschbaren 
Speicherelements sowie zwischen dem Ein- 
trag und dem Nichteintrag des privilegierten 
ZugriffspaBworts. 

Ein Verfahren gemaB Anspruch 7, in dem der 
Schritt des selektiven Einstellens des Speicherele- 
ments in den aktiven Zustand das Offnen des Sy- 
stemgehauses und Andern der Einstellung des Op- 
tionsschalters von Hand beinhaltet. 

Ein Verfahren gemaB Anspruch 7 oder 8, in dem 
das privitegierte ZugriffspaBwort ein zweites 
PaBwort darstelft, und das Verfahren femer die fol- 
genden Schritte beinhaltet: 

Vorsehen zum Aufnehmen und Speichern ei- 
nes ersten und eines zweites PaBworts im Sy- 
stem und zum Laden von vertraulichen und of- 
fenen Programmen in das System; 

Unterscheiden zwischen der Speicherung (a) 
keines PaBworts, (b) eines ersten PaBworts, 
und (c) eines zweiten PaBworts; 

Unterscheiden zwischen dem Laden und der 
angeforderten Ausf uhrung (d) vertraulicher und 
(e) offener Programme; 

Unterscheiden zwischen der Eingabe (f) keines 
PaBworts, (g) des ersten PaBworts, und (h) des 
zweiten PaBworts durch einen Anwender; und 



Ein Verfahren zum Aufnehmen und Speichern von 
Daten in einem Personalcomputersystem (10), ent- 
haltend ein im Normalfall geschlossenes Gehause 
(15, 16) und einen Systemprozessor (1), ein losch- 
bares Speicherelement (59) und einen Options- 
schalter, der innerhalb des Gehauses montiert ist, 
wobei der Systemprozessor und der Optionsschal- 
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Steuern des Zugriffs auf vertrauliche Program- 
me (d) als Reaktion auf die Eingabe des zwei- 
ten PaBworts (h) durch einen Anwender. 

10. Ein Verfahren gemaB Anspruch 9, in dem der 
Schritt des Unterscheidens bei der Speicherung 
von PaBwortern das Unterscheiden zwischen der 
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Speicherung eines Einschalt-PaBworts als das er- 
ste PaBwort und des privilegierten ZugriffspaBworts 
als das zweite PaBwort umfaBt. 

11. Ein Verfahren gemaB Anspruch 9. in dem der 5 
Schritt des Steuems des Zugriffs das Erkennen der 
Speicherung keines PaBworts (a) und das Erteilen 
des Zugriffs fur jedes beliebige Programm durch ei- 
nen beliebigen Anwender umfaBt. 

10 

12. Ein Verfahren gemaB Anspruch 9, in dem der 
Schritt des Steuerns des Zugriffs das Erkennen der 
Speicherung eines ersten PaBworts (b) und erteilen 
des Zugriffs auf ein beliebiges Programm nur an ei- 
nen Anwender, der das erste PaBwort (b) eingibt, is 
umfaBt. 

13. Ein Verfahren gemaB Anspruch 9, in dem der 
Schritt des Steuerns des Zugriffs das Erkennen der 
Speicherung eines zweiten PaBworts (b) und ertei- 20 
len des Zugriffs auf ein beliebiges Programms nur 

an einen Anwender, der das zweite PaBwort eingibt 
(c), erfaBt. 

14. Ein Verfahren gemaB Anspruch 9, in dem der 25 
Schritt des Steuerns des Zugriffs das Erkennen der 
Speicherung eines ersten PaBworts (b) und eines 
zweiten PaBworts (c), Erteilen des Zugriffs auf ein 
beliebiges Programm nur an einen Anwender, der 

das erste PaBwort (b) eingibt, und Erteilen des Zu- 30 2. 
griffs auf ein vertrauliches Programm nur an einen 
Anwender, der das zweite PaBwort (c) eingibt, um- 
faBt. 

15. Ein Verfahren gemaB Anspruch 14, in dem der 35 
Schritt des Steuerns des Zugriffs fernerdas Erteilen 
des Zugriffs auf jedes beliebige Programm fur einen 
Anwender umfaBt, der das zweite PaBwort (c) ein- 
gibt, ohne die Notwendigkeit, zuerst das erste 
PaBwort (b) eingeben zu mussen. *o 

16. Ein Verfahren gemaB Anspruch 7 oder 8, das ferner 
den Schritt der Ungultigmachung des privilegierten 
Zugriffs-paBworts enthalt, das im Speicherelement 
gespeichert ist, als Reaktion auf ein Umschalten 45 
des Schalters fur unberechtigten Eingriff. 



Revendications 

so 3. 

1. Un systeme d'ordinateur personnel (10) destine a 
recevoir et conserver des donnees et susceptible 
d'assurer des donnees, conservees a I'interieur du 
systeme, contre un acces non autorise, le systeme 
comprenant : 55 

4. 

une enceinte (15, 16) normalement fermee ; 



un processeur systeme (1) monte dans ladite 
enceinte, afin de controler I'acces a au moins 
certains niveaux de donnees stock^es dans le 
systeme ; 

et caracterise par : 

un element memoire effacable (59) monte dans 
ladite enceinte, pour activer selectivement en 
des etats actif et inactif et pour recevoir et stoc- 
ker un mot de passe d'acces privilege, lorsque 
I'on se trouve a Petat actif, dans lequel ledit pro- 
cesseur systeme est relie fonctionnellement 
audit 6l6ment m6moire effagable ; 

et un interruption d'option, monte a I'interieur 
de ladite enceinte et relie fonctionnellement 
audit element memoire effacable, pour fixer le- 
dit element memoire effacable aux etats actif et 
inactif, 

dans lequel ledit processeur systeme controle 
I'acces a au moins certains niveaux de don- 
nees, stock6es dans le systeme, en operant 
une distinction entre des etats actif et inactif du- 
dit element memoire, et entre I'entree et la non 
entree d'un mot de passe d'acces privil6gi6, 
stocke, quelconque. 

Un systeme d'ordinateur personnel selon la reven- 
dication 1 , comprenant en outre : 

un deuxieme ei6ment memoire effagable, mon- 
te a I'interieur de ladite enceinte, pour recevoir 
et stocker des donnees indicatives de I'etat du- 
dit premier element memoire effacable, et pour 
corriger Pentr6e de tout mot de passe d'acces 
privilegie, stocked eventuel, et 

un interrupteur de detection d'effraction, monte 
a I'interieur de ladite enceinte et relie fonction- 
nellement audit deuxieme element memoire ef- 
fagable, pour detecter une ouverture non auto- 
risee de ladite enceinte et pour invalider tout 
mot de passe d'acces privilegie, eventuel, stoc- 
ke dans ledit premier element memoire effaca- 
ble, en reponse a une commutation eventuelle 
dudit interrupteur d'effraction. 

Un systeme d'ordinateur personnel selon la reven- 
dication 1 ou 2, dans lequel ledit premier element 
memoire effagable est un dispositif a memoire a lec- 
ture seule, programmable, effagable 6lectrique- 
ment. 

Un systeme d'ordinateur personnel selon la reven- 
dication 1, 2ou 3, dans lequel ledit interrupteur d'op- 
tion fonctionne pour valider un operateur, afin de 
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proceder a une selection enlre un fonctionnement 
sur du systeme et un fonctionnement non sur du 
systeme, par une selection d'etats respectivement 
actif et inactif dudit premier element memoire. 

5. Un systeme d'ordinateur personnel selon la reven- 
dication 4, dans leque! ledit interrupteur d'option est 
actionnable manuellement et est positionne a I'in- 
terieur de ladite enceinte, pour permettre un acces 
manuel seulement apres ouverture de ladite en- 
ceinte. 

6. Un systeme d'ordinateur personnel selon la reven- 
dication 2, dans lequel ledit deuxieme element me- 
moire effacable est une RAM CMOS a sauvegarde 
par batterie (68). 

7. Un precede de reception et de conservation de don- 
n6es dans un systeme d'ordinateur personnel (10), 
comprenant une enceinte (1 5, 1 6) normalement fer- 
mee, et un processeur systeme (1 ), un element me- 
moire effacable (59), et un interrupteur d'option 
monte dans ladite enceinte, le processeur systeme 
et I'interrupteur d'option etant relies foncttonnelle- 
ment a Peiement memoire effacable ayant un 6tat 
actif et un etat inactif, ledit precede comprenant les 
etapes consistant a : 

utiliser I'interrupteur d'option pour fixer seiecti- 
vement reiement memoire effacable a I'etat ac- 
tif, afin d'assurer des donn6es conservees 
dans le systeme, face a un acces non autorise ; 

recevoir et stocker un mot de passe d'acces pri- 
viiegie dans reiement memoire effacable a 
I'etat actif ; et 

controler I'acces a au moins certains niveaux 
de donnees, stockees a Pinterieur du systeme, 
en operant une distinction entre les etats actif 
et inactif de I'6l6ment memoire effacable, et en- 
tre I'entr6e et la non entree du mot de passe 
privil6gie. 

8. Un procede selon la revendication 7, dans lequel 
ladite etape de fixation selective de reiement me- 
moire a I'etat actif comprend Pouverture de I'encein- 
te systeme, et le changement manuel du reglage 
de I'interrupteur d'option. 

9. Un proc6d6 selon la revendication 7 ou 8, caracte- 
rise en ce que ledit mot de passe d'acces privilegie 
represente un deuxieme mot de passe, et le proce- 
de comprend en outre les etapes consistant a : 

assurer la reception par, et le stockage dans, 
le systeme, de premier et deuxieme mots de 
passe, et le chargement dans le systeme, de 



programmes de confiance et ouverts ; 

distinguer parmi les stockages (a) d'aucun mot 
de passe, (b) d'un premier mot de passe, et (c) 
5 d'un deuxieme mot de passe ; 

distinguer entre le chargement et Pexecution 
requises de programmes, (d) de confiance et 
(e) ouverts ; 

10 

distinguer, parmi I'entree faite par un utilisateur, 
de (f) aucun mot de passe, (g) le premier mot 
de passe, et (h) le deuxieme mot de passe ; et 

15 controler I'acces par un utilisateur a un pro- 

gramme de confiance (d), en reponse a I'entree 
par I'utilisateur du deuxieme mot de passe (h). 

10. Un precede selon la revendication 9, dans lequel 
20 ladite etape de distinction parmi le stockage de 

mots de passe comprend la distinction entre le stoc- 
kage d'un mot de passe de mise en service, a titre 
de premier mot de passe, et dudit mot de passe 
d'acces privilegie, a titre de deuxieme mot de pas- 
25 se. 

11. Un procede selon la revendication 9, dans lequel 
ladite etape de controle d'acces comprend Pidenti- 
fication du stockage d'aucun mot de passe (a) et 

30 I'attribution d'acces a un programme quelconque, 
par un utilisateur quelconque. 

12. Un procede selon la revendication 9, dans lequel 
ladite etape de controle d'acces comprend Pidenti- 

35 fication du stockage d'un premier mot de passe (b) 
et I'attribution de I'acces a un programme quelcon- 
que, seulement a un utilisateur introduisant le pre- 
mier mot de passe (b). 

40 13. Un procede selon la revendication 9, dans lequel 
ladite etape de contrdle d'acc6s comprend Pidenti- 
fication du stockage d'un deuxieme mot de passe 
(c) et I'attribution de I'acces a un programme quel- 
conque, seulement par un utilisateur introduisant le 
45 deuxieme mot de passe (c). 

14. Un precede selon la revendication 9, dans lequel 
ladite etape de controle d'acces comprend Identi- 
fication du stockage d'un premier mot de passe (b) 

so et d'un deuxieme mot de passe (c), I'attribution d'ac- 
ces a un programme quelconque, seulement par un 
utilisateur introduisant le premier mot de passe (b), 
et I'attribution d'acces a un programme de confian- 
ce, seulement a un utilisateur introduisant le 
55 deuxieme mot de passe (c). 

15. Un precede selon la revendication 14, dans lequel 
ladite etape de controle d'acces comprend en outre 
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I'attribution de I'acces a un programme quelconque, 
a un utilisateur introduisant le deuxieme mot de 
passe (c), sans aucune necessite de commencer 
par introduire le premier mot de passe (b). 

s 

16. Un precede selon la revendication 7 ou 8, compre- 
nant en outre I'etape d'invalidation du motde passe 
d'acces privilegie, memorise dans I'element memoi- 
re, en reponse a une commutation eventuelle d'un 
interrupteur d'effraction. 10 
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